First off, happy holidays. 🙂 I hope this time of the year, chilly for many of you, has given you time to enjoy family, friends, and loved ones and reflect on the year before and the year to come.

My last message to you this year is an important but unfortunate one: we’ve fixed a pretty critical vulnerability in WordPress’ core HTML sanitation library, and because this library is used lots of places it’s important that everyone update as soon as possible. I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. In the spirit of the holidays, consider helping your friends as well. You can update in your dashboard, on the “updates” tab, or download the latest WordPress here: http://wordpress.org/download/

Posted December 29, 2010 by Matt Mullenweg. Filed under Releases,Security.

Version 3.0.4 of WordPress, available immediately through the update page in your dashboard or for download here, is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.”

I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. In the spirit of the holidays, consider helping your friends as well.

If you are a security researcher, we’d appreciate you taking a look over this changeset as well to review our update. We’ve given it a lot of thought and review but since this is so core we want as many brains on it as possible. Thanks to Mauro Gentile and Jon Cave (duck_) who discovered and alerted us to these XSS vulnerabilities first.